From a6e85190e631771a538060f8c8ece8e9f720e8d0 Mon Sep 17 00:00:00 2001 From: Nathan Scott Date: Thu, 15 Jun 2023 16:41:58 +1000 Subject: [PATCH] Update selinux policy for pmlogger_daily Resolves Red Hat BZ #2208154 --- pcp.spec | 6 ++- ...zilla-2208154-selinux-pmlogger_daily.patch | 38 +++++++++++++++++++ 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 redhat-bugzilla-2208154-selinux-pmlogger_daily.patch diff --git a/pcp.spec b/pcp.spec index df4c9c0..234323d 100644 --- a/pcp.spec +++ b/pcp.spec @@ -1,12 +1,13 @@ Name: pcp Version: 6.0.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: System-level performance monitoring and performance management License: GPLv2+ and LGPLv2+ and CC-BY URL: https://pcp.io %global artifactory https://performancecopilot.jfrog.io/artifactory Source0: %{artifactory}/pcp-source-release/pcp-%{version}.src.tar.gz +Patch0: redhat-bugzilla-2208154-selinux-pmlogger_daily.patch # The additional linker flags break out-of-tree PMDAs. # https://bugzilla.redhat.com/show_bug.cgi?id=2043092 @@ -3362,6 +3363,9 @@ fi %files zeroconf -f pcp-zeroconf-files.rpm %changelog +* Thu Jun 15 2023 Nathan Scott - 6.0.4-2 +- Resolve an selinux issue with pmlogger_daily (BZ 2208154) + * Mon May 15 2023 Nathan Scott - 6.0.4-1 - Ensure pmcd.conf not rewritten needlessly (BZ 2166819) - Add support for pmieconf webhook action (BZ 2185803) diff --git a/redhat-bugzilla-2208154-selinux-pmlogger_daily.patch b/redhat-bugzilla-2208154-selinux-pmlogger_daily.patch new file mode 100644 index 0000000..53546e5 --- /dev/null +++ b/redhat-bugzilla-2208154-selinux-pmlogger_daily.patch @@ -0,0 +1,38 @@ +diff -Naurp pcp-6.0.4.orig/src/selinux/pcp.te pcp-6.0.4/src/selinux/pcp.te +--- pcp-6.0.4.orig/src/selinux/pcp.te 2023-02-10 10:38:09.000000000 +1100 ++++ pcp-6.0.4/src/selinux/pcp.te 2023-06-15 16:28:52.975028504 +1000 +@@ -279,6 +279,7 @@ allow pcp_pmlogger_t pcp_pmcd_t:unix_str + allow pcp_pmlogger_t self:unix_dgram_socket create_socket_perms; + + allow pcp_pmlogger_t pcp_pmlogger_exec_t:file execute_no_trans; ++allow pcp_pmlogger_t ldconfig_exec_t:file { execute execute_no_trans }; + + dontaudit pcp_pmlogger_t self:cap_userns { sys_ptrace }; + +@@ -313,6 +314,10 @@ optional_policy(` + rpm_script_signal(pcp_pmlogger_t) + ') + ++optional_policy(` ++ userdom_setattr_user_home_content_files(pcp_pmlogger_t) ++') ++ + ######################################## + # + # pcp_plugin local policy +diff -Naurp pcp-6.0.4.orig/src/selinux/README pcp-6.0.4/src/selinux/README +--- pcp-6.0.4.orig/src/selinux/README 2023-02-10 10:38:09.000000000 +1100 ++++ pcp-6.0.4/src/selinux/README 2023-06-15 16:28:52.975028504 +1000 +@@ -98,8 +98,10 @@ In the src/selinux directory + == Installing == + + $ sudo semodule -X 200 -r pcp +-(expect this to fail if a revised pcp.pp module has not previously +-been installed) ++ ++expect this to fail if a revised pcp.pp module has not previously ++been installed, in which case you'll need ++ + $ sudo semodule -X 200 -i pcp.pp + + or if semodule is too old to understand -X 200